1mozilla_selinux(8)          SELinux Policy mozilla          mozilla_selinux(8)
2
3
4

NAME

6       mozilla_selinux  -  Security Enhanced Linux Policy for the mozilla pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  mozilla  processes  via  flexible
11       mandatory access control.
12
13       The  mozilla processes execute with the mozilla_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mozilla_t
20
21
22

ENTRYPOINTS

24       The  mozilla_t  SELinux type can be entered via the mozilla_exec_t file
25       type.
26
27       The default entrypoint paths for the mozilla_t domain are  the  follow‐
28       ing:
29
30       /usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-
31       bin,   /usr/lib/mozilla[^/]*/reg.+,   /usr/lib/firefox[^/]*/mozilla-.*,
32       /usr/lib/mozilla[^/]*/mozilla-.*,             /usr/bin/mozilla-[0-9].*,
33       /usr/lib/netscape/.+/communicator/communicator-smotif.real,
34       /usr/bin/mozilla-bin-[0-9].*,    /usr/bin/mozilla,   /usr/bin/epiphany,
35       /usr/bin/netscape,    /usr/bin/epiphany-bin,    /usr/lib/galeon/galeon,
36       /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
37

PROCESS TYPES

39       SELinux defines process types (domains) for each process running on the
40       system
41
42       You can see the context of a process using the -Z option to ps
43
44       Policy governs the access confined processes have  to  files.   SELinux
45       mozilla  policy  is very flexible allowing users to setup their mozilla
46       processes in as secure a method as possible.
47
48       The following process types are defined for mozilla:
49
50       mozilla_t, mozilla_plugin_t, mozilla_plugin_config_t
51
52       Note: semanage permissive -a mozilla_t can be used to make the  process
53       type  mozilla_t  permissive. SELinux does not deny access to permissive
54       process types, but the AVC (SELinux denials) messages are still  gener‐
55       ated.
56
57

BOOLEANS

59       SELinux policy is customizable based on least access required.  mozilla
60       policy is extremely flexible and has several booleans that allow you to
61       manipulate  the  policy and run mozilla with the tightest access possi‐
62       ble.
63
64
65
66       If you want to allow confined web browsers to read home directory  con‐
67       tent,  you  must  turn on the mozilla_read_content boolean. Disabled by
68       default.
69
70       setsebool -P mozilla_read_content 1
71
72
73
74       If you want to allow users to resolve user passwd entries directly from
75       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
76       gin_nsswitch_use_ldap boolean. Disabled by default.
77
78       setsebool -P authlogin_nsswitch_use_ldap 1
79
80
81
82       If you want to deny user domains applications to map a memory region as
83       both  executable  and  writable,  this  is dangerous and the executable
84       should be reported in bugzilla, you must turn on the deny_execmem bool‐
85       ean. Enabled by default.
86
87       setsebool -P deny_execmem 1
88
89
90
91       If you want to allow all domains to execute in fips_mode, you must turn
92       on the fips_mode boolean. Enabled by default.
93
94       setsebool -P fips_mode 1
95
96
97
98       If you want to allow confined applications to run  with  kerberos,  you
99       must turn on the kerberos_enabled boolean. Enabled by default.
100
101       setsebool -P kerberos_enabled 1
102
103
104
105       If  you  want  to  allow  system  to run with NIS, you must turn on the
106       nis_enabled boolean. Disabled by default.
107
108       setsebool -P nis_enabled 1
109
110
111
112       If you want to allow confined applications to use nscd  shared  memory,
113       you must turn on the nscd_use_shm boolean. Enabled by default.
114
115       setsebool -P nscd_use_shm 1
116
117
118
119       If  you  want to allow regular users direct dri device access, you must
120       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
121
122       setsebool -P selinuxuser_direct_dri_enabled 1
123
124
125
126       If you want to allow unconfined executables to make  their  stack  exe‐
127       cutable.   This  should  never, ever be necessary. Probably indicates a
128       badly coded executable, but could indicate an attack.  This  executable
129       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
130       stack boolean. Enabled by default.
131
132       setsebool -P selinuxuser_execstack 1
133
134
135
136       If you want to allows clients to write to the X  server  shared  memory
137       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
138       abled by default.
139
140       setsebool -P xserver_clients_write_xshm 1
141
142
143

MANAGED FILES

145       The SELinux process type mozilla_t can manage files  labeled  with  the
146       following file types.  The paths listed are the default paths for these
147       file types.  Note the processes UID still need to have DAC permissions.
148
149       cifs_t
150
151
152       ecryptfs_t
153
154            /home/[^/]+/.Private(/.*)?
155            /home/[^/]+/.ecryptfs(/.*)?
156
157       fusefs_t
158
159            /var/run/user/[^/]*/gvfs
160
161       gconf_home_t
162
163            /root/.local.*
164            /root/.gconf(d)?(/.*)?
165            /home/[^/]+/.local.*
166            /home/[^/]+/.gconf(d)?(/.*)?
167
168       gnome_home_type
169
170
171       mozilla_home_t
172
173            /home/[^/]+/.lyx(/.*)?
174            /home/[^/]+/.java(/.*)?
175            /home/[^/]+/.adobe(/.*)?
176            /home/[^/]+/.gnash(/.*)?
177            /home/[^/]+/.webex(/.*)?
178            /home/[^/]+/.IBMERS(/.*)?
179            /home/[^/]+/.galeon(/.*)?
180            /home/[^/]+/.spicec(/.*)?
181            /home/[^/]+/POkemon.*(/.*)?
182            /home/[^/]+/.icedtea(/.*)?
183            /home/[^/]+/.mozilla(/.*)?
184            /home/[^/]+/.phoenix(/.*)?
185            /home/[^/]+/.netscape(/.*)?
186            /home/[^/]+/.ICAClient(/.*)?
187            /home/[^/]+/.quakelive(/.*)?
188            /home/[^/]+/.macromedia(/.*)?
189            /home/[^/]+/.thunderbird(/.*)?
190            /home/[^/]+/.gcjwebplugin(/.*)?
191            /home/[^/]+/.grl-podcasts(/.*)?
192            /home/[^/]+/.cache/mozilla(/.*)?
193            /home/[^/]+/.icedteaplugin(/.*)?
194            /home/[^/]+/zimbrauserdata(/.*)?
195            /home/[^/]+/.config/chromium(/.*)?
196            /home/[^/]+/.juniper_networks(/.*)?
197            /home/[^/]+/.cache/icedtea-web(/.*)?
198            /home/[^/]+/abc
199            /home/[^/]+/mozilla.pdf
200            /home/[^/]+/.gnashpluginrc
201
202       mozilla_tmp_t
203
204
205       mozilla_tmpfs_t
206
207
208       nfs_t
209
210
211       pulseaudio_home_t
212
213            /root/.pulse(/.*)?
214            /root/.config/pulse(/.*)?
215            /root/.esd_auth
216            /root/.pulse-cookie
217            /home/[^/]+/.pulse(/.*)?
218            /home/[^/]+/.config/pulse(/.*)?
219            /home/[^/]+/.esd_auth
220            /home/[^/]+/.pulse-cookie
221
222       user_fonts_cache_t
223
224            /root/.fontconfig(/.*)?
225            /root/.fonts/auto(/.*)?
226            /root/.fonts.cache-.*
227            /home/[^/]+/.fontconfig(/.*)?
228            /home/[^/]+/.fonts/auto(/.*)?
229            /home/[^/]+/.fonts.cache-.*
230
231       xserver_tmpfs_t
232
233
234

FILE CONTEXTS

236       SELinux requires files to have an extended attribute to define the file
237       type.
238
239       You can see the context of a file using the -Z option to ls
240
241       Policy  governs  the  access  confined  processes  have to these files.
242       SELinux mozilla policy is very flexible allowing users to  setup  their
243       mozilla processes in as secure a method as possible.
244
245       STANDARD FILE CONTEXT
246
247       SELinux  defines  the file context types for the mozilla, if you wanted
248       to store files with these types in a diffent paths, you need to execute
249       the  semanage  command  to  sepecify  alternate  labeling  and then use
250       restorecon to put the labels on disk.
251
252       semanage fcontext -a -t mozilla_tmpfs_t '/srv/mymozilla_content(/.*)?'
253       restorecon -R -v /srv/mymozilla_content
254
255       Note: SELinux often uses regular expressions  to  specify  labels  that
256       match multiple files.
257
258       The following file types are defined for mozilla:
259
260
261
262       mozilla_conf_t
263
264       -  Set  files  with  the  mozilla_conf_t type, if you want to treat the
265       files as mozilla configuration data,  usually  stored  under  the  /etc
266       directory.
267
268
269
270       mozilla_exec_t
271
272       -  Set files with the mozilla_exec_t type, if you want to transition an
273       executable to the mozilla_t domain.
274
275
276       Paths:
277            /usr/lib/[^/]*firefox[^/]*/firefox,            /usr/lib/[^/]*fire‐
278            fox[^/]*/firefox-bin,  /usr/lib/mozilla[^/]*/reg.+, /usr/lib/fire‐
279            fox[^/]*/mozilla-.*,             /usr/lib/mozilla[^/]*/mozilla-.*,
280            /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/commu‐
281            nicator-smotif.real,                 /usr/bin/mozilla-bin-[0-9].*,
282            /usr/bin/mozilla,       /usr/bin/epiphany,      /usr/bin/netscape,
283            /usr/bin/epiphany-bin,  /usr/lib/galeon/galeon,  /usr/bin/mozilla-
284            snapshot, /usr/lib/netscape/base-4/wrapper
285
286
287       mozilla_home_t
288
289       -  Set files with the mozilla_home_t type, if you want to store mozilla
290       files in the users home directory.
291
292
293       Paths:
294            /home/[^/]+/.lyx(/.*)?,                   /home/[^/]+/.java(/.*)?,
295            /home/[^/]+/.adobe(/.*)?,                /home/[^/]+/.gnash(/.*)?,
296            /home/[^/]+/.webex(/.*)?,               /home/[^/]+/.IBMERS(/.*)?,
297            /home/[^/]+/.galeon(/.*)?,              /home/[^/]+/.spicec(/.*)?,
298            /home/[^/]+/POkemon.*(/.*)?,           /home/[^/]+/.icedtea(/.*)?,
299            /home/[^/]+/.mozilla(/.*)?,            /home/[^/]+/.phoenix(/.*)?,
300            /home/[^/]+/.netscape(/.*)?,         /home/[^/]+/.ICAClient(/.*)?,
301            /home/[^/]+/.quakelive(/.*)?,       /home/[^/]+/.macromedia(/.*)?,
302            /home/[^/]+/.thunderbird(/.*)?,   /home/[^/]+/.gcjwebplugin(/.*)?,
303            /home/[^/]+/.grl-podcasts(/.*)?, /home/[^/]+/.cache/mozilla(/.*)?,
304            /home/[^/]+/.icedteaplugin(/.*)?,          /home/[^/]+/zimbrauser‐
305            data(/.*)?,                    /home/[^/]+/.config/chromium(/.*)?,
306            /home/[^/]+/.juniper_networks(/.*)?,   /home/[^/]+/.cache/icedtea-
307            web(/.*)?,        /home/[^/]+/abc,        /home/[^/]+/mozilla.pdf,
308            /home/[^/]+/.gnashpluginrc
309
310
311       mozilla_plugin_config_exec_t
312
313       - Set files with the mozilla_plugin_config_exec_t type, if you want  to
314       transition an executable to the mozilla_plugin_config_t domain.
315
316
317
318       mozilla_plugin_exec_t
319
320       - Set files with the mozilla_plugin_exec_t type, if you want to transi‐
321       tion an executable to the mozilla_plugin_t domain.
322
323
324       Paths:
325            /usr/lib/xulrunner[^/]*/plugin-container,   /usr/lib/nspluginwrap‐
326            per/npviewer.bin,  /usr/bin/nspluginscan, /usr/bin/nspluginviewer,
327            /usr/libexec/WebKitPluginProcess,     /usr/lib/firefox/plugin-con‐
328            tainer
329
330
331       mozilla_plugin_rw_t
332
333       - Set files with the mozilla_plugin_rw_t type, if you want to treat the
334       files as mozilla plugin read/write content.
335
336
337
338       mozilla_plugin_tmp_t
339
340       - Set files with the mozilla_plugin_tmp_t type, if you  want  to  store
341       mozilla plugin temporary files in the /tmp directories.
342
343
344
345       mozilla_plugin_tmpfs_t
346
347       -  Set files with the mozilla_plugin_tmpfs_t type, if you want to store
348       mozilla plugin files on a tmpfs file system.
349
350
351
352       mozilla_tmp_t
353
354       - Set files with the mozilla_tmp_t type, if you want to  store  mozilla
355       temporary files in the /tmp directories.
356
357
358
359       mozilla_tmpfs_t
360
361       - Set files with the mozilla_tmpfs_t type, if you want to store mozilla
362       files on a tmpfs file system.
363
364
365
366       Note: File context can be temporarily modified with the chcon  command.
367       If  you want to permanently change the file context you need to use the
368       semanage fcontext command.  This will modify the SELinux labeling data‐
369       base.  You will need to use restorecon to apply the labels.
370
371

COMMANDS

373       semanage  fcontext  can also be used to manipulate default file context
374       mappings.
375
376       semanage permissive can also be used to manipulate  whether  or  not  a
377       process type is permissive.
378
379       semanage  module can also be used to enable/disable/install/remove pol‐
380       icy modules.
381
382       semanage boolean can also be used to manipulate the booleans
383
384
385       system-config-selinux is a GUI tool available to customize SELinux pol‐
386       icy settings.
387
388

AUTHOR

390       This manual page was auto-generated using sepolicy manpage .
391
392

SEE ALSO

394       selinux(8),  mozilla(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
395       icy(8),    setsebool(8),    mozilla_plugin_selinux(8),    mozilla_plug‐
396       in_selinux(8),   mozilla_plugin_config_selinux(8),  mozilla_plugin_con‐
397       fig_selinux(8)
398
399
400
401mozilla                            19-10-08                 mozilla_selinux(8)
Impressum